After Decommissioning a Legacy System: Who Is Responsible for the Data?
By Emanuel Böminghaus, Legacy Systems Expert and Managing Director, AvenDATA
By Emanuel Böminghaus
Legacy Systems Expert and
Managing Director, AvenDATA
Managing Director, AvenDATA
Shutting down a legacy system is often seen as a technical milestone — projects are marked as complete, interfaces are disconnected and servers are turned off. But what remains is the data. And with it, a critical question: who is responsible for this information once the original system no longer exists?
In practice, uncertainty frequently arises after decommissioning. IT departments no longer consider themselves responsible, business units lose access, data protection officers call for deletion, while compliance teams demand continued retention. This conflict can only be resolved if responsibilities are clearly defined early on — and documented unambiguously.
Responsibility Doesn’t End with System Shutdown
Even after a legacy system is technically decommissioned, the associated data remains relevant — legally, operationally, and organizationally. Business records, transactions, contracts and employee data are still subject to retention requirements, data protection regulations and potential audits. In short: the responsibility for this data shifts, but it doesn’t disappear.
A common misconception is that shutting down the system automatically transfers responsibility to IT — or that IT’s role ends there. In reality, multiple stakeholders are involved, each with different perspectives and responsibilities.
The Role of an IT
IT is typically responsible for the technical aspects — safely shutting down infrastructure, migrating or archiving data, and managing access. Providing an archiving solution often falls within their scope. However, IT is not accountable for evaluating the content or its legal relevance. Their role is technical, not regulatory or business-specific.
Responsibility of Business Departments
Business departments are responsible for the creation, use, and interpretation of data — even after a legacy system is shut down. They understand which data is relevant, what needs to be retained, and what can be deleted. That’s why they must be actively involved in the archiving process, especially when defining data scope, access rights, and retention periods.
After archiving, the responsibility for the content remains with the respective department, even if access is read-only. If this responsibility isn’t clearly assigned, it can lead to gaps — particularly during audits or internal reviews.
Data Protection and Deletion Obligations
The data protection officer is responsible for ensuring compliance with storage limitations and the rights of individuals. Even after archiving, it must be guaranteed that personal data from legacy systems is not stored indefinitely, and can be deleted or anonymized once retention periods expire.
This requires coordinated deletion policies and clearly defined responsibilities — especially when deciding which data should be archived and which should be removed. Data protection responsibility typically lies with the business department, in consultation with the data protection officer — not with IT.
Compliance, Audits, and Legal Accountability
Compliance and legal departments have a vested interest in ensuring that archived data from legacy systems remains complete, unchanged and accessible. They are accountable to regulators, auditors and courts. Especially when it comes to tax-relevant records or potential legal disputes, access to historical data is critical.
To meet these requirements, compliance teams must work closely with IT and business departments to ensure all applicable regulations are followed — including GoBD, GDPR, HGB and industry-specific standards. Ultimately, senior executives or board members may be held liable for non-compliance, even years after a system has been decommissioned.
Conclusion: Clear Responsibilities Prevent Costly Mistakes
Responsibility for data doesn’t end when a legacy system is shut down. It spans across IT, business departments, data protection and compliance — and must be clearly defined. Without clear role assignments, organizations risk regulatory violations, data loss and internal confusion.
Archiving is not just a technical task — it’s a cross-functional project. Only through clearly assigned responsibilities, coordinated processes, and transparent documentation can organizations ensure that legacy data is handled properly — securely, legally, and reliably.
Planning to archive a legacy system?